Here's my situation...
这是我的情况......
I'm writing a .Net/C# security system (authorization and authentication) for a large collection of web applications that require a single sign-on process. I'm using Active Directory as a data store and have written a very nice prototype that communicates with AD through LDAP. This component retrieves information about the logged in user that I have stored in AD which I then use to set their security roles in .Net forms authentication.
我正在为需要单点登录过程的大量Web应用程序编写.Net / C#安全系统(授权和身份验证)。我正在使用Active Directory作为数据存储,并编写了一个非常好的原型,通过LDAP与AD通信。此组件检索有关已存储在AD中的登录用户的信息,然后我使用该信息在.Net窗体身份验证中设置其安全角色。
1) All is good.
1)一切都很好。
Not being a System Admin, or Network Engineer, I wasn't familiar with the amount of system administration involved with setting up an AD instance. I wasn't aware that for each domain, I needed a separate server and domain controller. As it turns out, there are like 9 different domains that my team requires to be set up for all of the different environments that we're going to be accessing AD...
我不是系统管理员或网络工程师,我不熟悉设置AD实例所涉及的系统管理量。我不知道对于每个域,我需要一个单独的服务器和域控制器。事实证明,我的团队需要为我们将访问AD的所有不同环境设置9个不同的域...
- env1.dev.mycompany.com
- env1.qa.mycompany.com
- env1.stage.mycompany.com
- env2.dev.mycompany.com
- etc
...So now I have placed on upon myself somewhat of an administrative headache because I'm going to have to maintain all of these machines (or VM's), which is something that I'm not necessarily sure I want to do.
...所以现在我已经对自己施加了一些管理上的麻烦,因为我将不得不维护所有这些机器(或VM),这是我不一定确定要做的事情。
2) All is not good.
2)一切都不好。
The prototype is really solid, and AD makes for a very good database for the solution, but now I'm wondering if I should scrap the code and write a SQL Server data provider instead (I know .Net already provides one, but it doesn't alone fit my business requirements for authorization).
原型非常可靠,AD为解决方案提供了一个非常好的数据库,但现在我想知道是否应该废弃代码并编写SQL Server数据提供程序(我知道.Net已经提供了一个,但它没有根本不符合我的授权业务要求。
Anyway, so I'm trying to think through this problem from a high level perspective. In general, I keep tripping over the fact that I would be throwing a really good solution just because of some server maintenance? I'm wondering if anyone here has experienced a scenario like this and what exactly you decided to do.
无论如何,所以我试图从高层次的角度思考这个问题。总的来说,我一直在喋喋不休地说,由于一些服务器维护,我会抛出一个非常好的解决方案吗?我想知道这里是否有人经历过这样的情景以及你决定做什么。
Doesn't have to be specific to AD either, just a situation where you had to evaluate between a good software solution and it's server maintenance constraints.
不一定要特定于AD,只需要在良好的软件解决方案和服务器维护约束之间进行评估。
4 个解决方案
#1
In general, the usability of a product is what makes people to choose between it and similar products. If the product has bad usability, the users won't care how high quality its code is - all that matters to them is how easy and effective it is to use and how well it fills their needs.
一般而言,产品的可用性是人们在它和类似产品之间做出选择的原因。如果产品的可用性不好,用户就不会关心它的代码质量如何 - 对他们来说最重要的是它的使用简单有效以及它满足需求的程度。
Maintenance can be thought as one aspect of usability. I would make it top priority to have an easily maintainable product. In the long run that will save many hours of work from the administrators.
维护可以被视为可用性的一个方面。我会将易于维护的产品放在首位。从长远来看,这将节省管理员的大量工作时间。
One way to think about it, is first designing what would be the most usable solution from the end user's/administrator's viewpoint, and then making it an intellectual challenge to actually implement that optimal solution. It will probably require more effort from the programmer, but the end result will be better.
考虑它的一种方法是首先从最终用户/管理员的角度设计最有用的解决方案,然后将实际实施最佳解决方案作为一项智力挑战。它可能需要程序员更多努力,但最终结果会更好。
For example ZFS is one product where maintenance has been taken care of well (although I have not used it personally). When it was designed, much effort was put into making it easy to administer the file system with ZFS's command line tools - and those design decisions affect all levels of ZFS (for example storage pools).
例如,ZFS是一种维护得很好的产品(虽然我没有亲自使用过它)。在设计时,我们付出了很多努力,使用ZFS的命令行工具轻松管理文件系统 - 这些设计决策会影响所有级别的ZFS(例如存储池)。
As another example, I've been recently planning how do maintenance in a future project of mine - a distributed database and application server. Thinking about how typical administration tasks will happen (installing/upgrading applications, adding/removing servers in the cluster, resolving hardware failure etc.), has helped me to sort out some design decisions. Some of them go quite deep into the architecture of the system (for example how applications and extensions are loaded at runtime, and how the servers find other servers in the cluster).
另一个例子,我最近一直在计划如何在我的未来项目中进行维护 - 分布式数据库和应用程序服务器。考虑典型的管理任务将如何发生(安装/升级应用程序,在集群中添加/删除服务器,解决硬件故障等),帮助我理清了一些设计决策。其中一些深入到系统的体系结构中(例如,如何在运行时加载应用程序和扩展,以及服务器如何在集群中找到其他服务器)。
#2
If setting up a single sign on system for a Windows system I be very likly to use AD. As a sys admin. I try to follow a single-source-of-data policy. AD is already holding much of my Windows user/security data. I would prefer to have all in there rather than a second system.
如果在Windows系统上为系统设置单一登录,我非常喜欢使用AD。作为系统管理员。我尝试遵循单一数据源策略。 AD已经掌握了我的大部分Windows用户/安全数据。我宁愿让所有人都在那里而不是第二个系统。
When setting up dev/test/prod environments I try to ensure that the closely match the Prod one, most especially in the area being worked on (where development efforts are being put, etc). So if setting up system to develop an interface with AD I would likely have multiple AD servers.
在设置dev / test / prod环境时,我会尽量确保与Prod环境紧密匹配,尤其是在正在开发的区域(开发工作正在进行等等)中。因此,如果设置系统来开发与AD的接口,我可能会有多个AD服务器。
What options could simplify the admin?
哪些选项可以简化管理员?
Can you have 1 master server that you maintain in the standard manner and use something like a VMware copy process to maintain all or most of the others? Rather than doing something to 9 servers, keep the other 8 as copies of that mirror the master except for changes made to support dev/test?
您是否可以使用标准方式维护的1个主服务器,并使用类似VMware复制过程的方式维护所有其他服务器或大多数其他服务器?除了为支持dev / test所做的更改之外,不要对9个服务器执行某些操作,而将其他8个作为主镜像的副本保留为主服务器?
Can you run multiple Dev or Test domains from 1 AD server?
您可以从1个AD服务器运行多个Dev或Test域吗?
Can you script action?
你可以编写动作吗?
Can you reduce the number of environments, especially at the higher end of test? E.g. provide multiple dev environments and role up releases into a single Test one?
您是否可以减少环境数量,尤其是在测试的较高端?例如。提供多个开发环境和角色升级版本到一个测试版本?
#3
Why not simply use OUs instead of separate domains when testing? That is, have a single domain, but specify that users for particular versions must be found in a particular OU inside that domain. What you would do is in your search functions for looking up users, you'd specify the particular OU as the search root instead of the root of the domain. In each OU you could have ids that incorporate the environment to keep them unique, e.g., user_env1_dev, user_env2_dev, user_env1_qa, ...
为什么不在测试时简单地使用OU而不是单独的域?也就是说,拥有一个域,但指定必须在该域内的特定OU中找到特定版本的用户。您要做的是在查找用户的搜索功能中,您将特定的OU指定为搜索根,而不是域的根。在每个OU中,您可以使用包含环境的ID来保持它们的唯一性,例如user_env1_dev,user_env2_dev,user_env1_qa,...
I use AD a lot for my apps and never set up separate domains for development/testing.
我为我的应用程序使用了很多AD,并且从未为开发/测试设置单独的域。
#4
Use a provider pattern and abstract your datasource calls.
使用提供程序模式并抽象数据源调用。
Then you can configure it to use AD or SQL on the fly.
然后,您可以将其配置为动态使用AD或SQL。
public abstract SSODataProvider {
public bool AuthenticateUser(string u, string p);
}
public ADSSODataProvider : SSODataProvider {
public override AutheticateUser(string u, string p) {
//do auth here
}
}
public SQLSSODataProvider : SSODataProvider {
public override AuthenticateUser(String u, string p) {
//call DB
}
}
public static SSODataProvider dataProvider;
if (ConfigurationSettings.AppSettings["SSODataProvider"] == "SQL")
dataProvider = new SQLSSODataProvider();
else
dataProvider = new ADSSODataProvider();
....
dataProvider.AuthenticateUser("sss","sss");
#1
In general, the usability of a product is what makes people to choose between it and similar products. If the product has bad usability, the users won't care how high quality its code is - all that matters to them is how easy and effective it is to use and how well it fills their needs.
一般而言,产品的可用性是人们在它和类似产品之间做出选择的原因。如果产品的可用性不好,用户就不会关心它的代码质量如何 - 对他们来说最重要的是它的使用简单有效以及它满足需求的程度。
Maintenance can be thought as one aspect of usability. I would make it top priority to have an easily maintainable product. In the long run that will save many hours of work from the administrators.
维护可以被视为可用性的一个方面。我会将易于维护的产品放在首位。从长远来看,这将节省管理员的大量工作时间。
One way to think about it, is first designing what would be the most usable solution from the end user's/administrator's viewpoint, and then making it an intellectual challenge to actually implement that optimal solution. It will probably require more effort from the programmer, but the end result will be better.
考虑它的一种方法是首先从最终用户/管理员的角度设计最有用的解决方案,然后将实际实施最佳解决方案作为一项智力挑战。它可能需要程序员更多努力,但最终结果会更好。
For example ZFS is one product where maintenance has been taken care of well (although I have not used it personally). When it was designed, much effort was put into making it easy to administer the file system with ZFS's command line tools - and those design decisions affect all levels of ZFS (for example storage pools).
例如,ZFS是一种维护得很好的产品(虽然我没有亲自使用过它)。在设计时,我们付出了很多努力,使用ZFS的命令行工具轻松管理文件系统 - 这些设计决策会影响所有级别的ZFS(例如存储池)。
As another example, I've been recently planning how do maintenance in a future project of mine - a distributed database and application server. Thinking about how typical administration tasks will happen (installing/upgrading applications, adding/removing servers in the cluster, resolving hardware failure etc.), has helped me to sort out some design decisions. Some of them go quite deep into the architecture of the system (for example how applications and extensions are loaded at runtime, and how the servers find other servers in the cluster).
另一个例子,我最近一直在计划如何在我的未来项目中进行维护 - 分布式数据库和应用程序服务器。考虑典型的管理任务将如何发生(安装/升级应用程序,在集群中添加/删除服务器,解决硬件故障等),帮助我理清了一些设计决策。其中一些深入到系统的体系结构中(例如,如何在运行时加载应用程序和扩展,以及服务器如何在集群中找到其他服务器)。
#2
If setting up a single sign on system for a Windows system I be very likly to use AD. As a sys admin. I try to follow a single-source-of-data policy. AD is already holding much of my Windows user/security data. I would prefer to have all in there rather than a second system.
如果在Windows系统上为系统设置单一登录,我非常喜欢使用AD。作为系统管理员。我尝试遵循单一数据源策略。 AD已经掌握了我的大部分Windows用户/安全数据。我宁愿让所有人都在那里而不是第二个系统。
When setting up dev/test/prod environments I try to ensure that the closely match the Prod one, most especially in the area being worked on (where development efforts are being put, etc). So if setting up system to develop an interface with AD I would likely have multiple AD servers.
在设置dev / test / prod环境时,我会尽量确保与Prod环境紧密匹配,尤其是在正在开发的区域(开发工作正在进行等等)中。因此,如果设置系统来开发与AD的接口,我可能会有多个AD服务器。
What options could simplify the admin?
哪些选项可以简化管理员?
Can you have 1 master server that you maintain in the standard manner and use something like a VMware copy process to maintain all or most of the others? Rather than doing something to 9 servers, keep the other 8 as copies of that mirror the master except for changes made to support dev/test?
您是否可以使用标准方式维护的1个主服务器,并使用类似VMware复制过程的方式维护所有其他服务器或大多数其他服务器?除了为支持dev / test所做的更改之外,不要对9个服务器执行某些操作,而将其他8个作为主镜像的副本保留为主服务器?
Can you run multiple Dev or Test domains from 1 AD server?
您可以从1个AD服务器运行多个Dev或Test域吗?
Can you script action?
你可以编写动作吗?
Can you reduce the number of environments, especially at the higher end of test? E.g. provide multiple dev environments and role up releases into a single Test one?
您是否可以减少环境数量,尤其是在测试的较高端?例如。提供多个开发环境和角色升级版本到一个测试版本?
#3
Why not simply use OUs instead of separate domains when testing? That is, have a single domain, but specify that users for particular versions must be found in a particular OU inside that domain. What you would do is in your search functions for looking up users, you'd specify the particular OU as the search root instead of the root of the domain. In each OU you could have ids that incorporate the environment to keep them unique, e.g., user_env1_dev, user_env2_dev, user_env1_qa, ...
为什么不在测试时简单地使用OU而不是单独的域?也就是说,拥有一个域,但指定必须在该域内的特定OU中找到特定版本的用户。您要做的是在查找用户的搜索功能中,您将特定的OU指定为搜索根,而不是域的根。在每个OU中,您可以使用包含环境的ID来保持它们的唯一性,例如user_env1_dev,user_env2_dev,user_env1_qa,...
I use AD a lot for my apps and never set up separate domains for development/testing.
我为我的应用程序使用了很多AD,并且从未为开发/测试设置单独的域。
#4
Use a provider pattern and abstract your datasource calls.
使用提供程序模式并抽象数据源调用。
Then you can configure it to use AD or SQL on the fly.
然后,您可以将其配置为动态使用AD或SQL。
public abstract SSODataProvider {
public bool AuthenticateUser(string u, string p);
}
public ADSSODataProvider : SSODataProvider {
public override AutheticateUser(string u, string p) {
//do auth here
}
}
public SQLSSODataProvider : SSODataProvider {
public override AuthenticateUser(String u, string p) {
//call DB
}
}
public static SSODataProvider dataProvider;
if (ConfigurationSettings.AppSettings["SSODataProvider"] == "SQL")
dataProvider = new SQLSSODataProvider();
else
dataProvider = new ADSSODataProvider();
....
dataProvider.AuthenticateUser("sss","sss");